What Is the Zombie ZIP Technique?
Security researchers disclosed the Zombie ZIP technique on March 10, 2026 — a malware delivery method that exploits fundamental weaknesses in how antivirus engines and EDR platforms process ZIP archive files. The technique creates specially crafted, malformed ZIP archives whose internal structure causes security scanners to fail at decompressing and inspecting the actual payload, producing a false negative and allowing malicious content to pass undetected.
The vulnerability class underpinning Zombie ZIP was formally documented by CERT/CC under advisory VU#976247, which confirmed that malformed ZIP headers can cause antivirus and endpoint detection and response software to produce false negatives. The advisory noted that despite malformed headers, some extraction software is still able to decompress the archive, allowing payloads to execute upon file decompression on the victim system.
How the Technique Works: Exploiting ZIP Metadata
The ZIP file format relies on internal metadata fields — including compression method, flags, and version information — that antivirus engines use to determine how to preprocess and decompress an archive before scanning its contents. Zombie ZIP and related techniques manipulate these fields in ways that cause security tools to either skip decompression entirely or decompress incorrectly, leaving the actual payload unexamined.
In practice, attackers can modify the compression method field so that the antivirus fails to decompress the file. A custom loader embedded in the attack chain then ignores the declared method field and decompresses the embedded data directly, recovering and executing the malicious payload on the victim machine. The file is effectively invisible to the scanner but fully functional when extracted by the attacker's code or by certain archive utilities.
A related and documented variant involves ZIP file concatenation, where attackers combine 500 to 1,000 ZIP archives into a single file. Because many security tools only parse the first directory in a concatenated archive, malware buried in the later layers remains undetected. This specific technique was observed in active Gootloader campaigns in January 2026, where concatenated malformed ZIPs containing JavaScript payloads successfully bypassed most security tools and were only decompressable by Windows' default file archiver.
Already Used in the Wild: Gootloader and NanoCore Campaigns
Zombie ZIP is not a purely theoretical research technique. Malformed ZIP archives have been actively weaponized in multiple documented attack campaigns. In January 2026, the Gootloader malware family deployed malformed, hashbusting ZIP archives — each one uniquely crafted per victim to defeat hash-based detection — to deliver JavaScript payloads via SEO poisoning and malvertising targeting users searching for legal document templates. Once executed, the JavaScript established persistence and launched PowerShell-based execution chains linked to Vanilla Tempest ransomware operations.
Earlier campaigns have used specially crafted ZIPs to bypass secure email gateways and deliver payloads including the NanoCore RAT. The technique exploits the inconsistency in how different archive utilities (7-Zip, WinRAR, and Windows File Explorer) handle malformed archives, creating blind spots that attackers can reliably exploit.
Why Antivirus and EDR Tools Struggle to Detect This
Most antivirus and EDR platforms rely on static signature-based scanning and file metadata analysis. When an archive's metadata is deliberately corrupted or manipulated, the scanning engine may classify the file as unreadable or skip inspection of the compressed content entirely. Many security tools also lack recursive unpacking capabilities, meaning they do not parse every layer of a concatenated ZIP — a gap that threat actors have been exploiting systematically.
Organizations relying solely on signature-based detection and perimeter email filtering are most exposed. The technique does not exploit a specific software vulnerability in a single product but rather a design limitation that affects how most security tools handle malformed compressed files.
No Patch Available — Defense Depends on Detection Strategy
No universal patch exists for this class of vulnerability because it stems from how compression tools and security engines handle malformed file structures, not from a specific exploitable code flaw. CERT/CC noted that many antivirus products will still flag malformed archives as corrupted but will not detect the actual malicious payload within them.
However, defenders are not without recourse. Security teams should:
- Implement behavioral analysis tools that examine file execution patterns rather than relying on static signatures alone.
- Deploy security solutions with recursive unpacking capabilities that can parse nested and concatenated archive layers.
- Monitor for unusual ZIP file structures at the email gateway and endpoint level, including files flagged as corrupted but still executable.
- Apply content disarm and reconstruction (CDR) technology to strip and rebuild archive files before delivery to endpoints.
- Use sandboxed execution environments to detonate suspicious archives and observe runtime behavior before allowing them to reach end users.
Gootloader's malformed ZIP archives do have identifiable structural signatures that defenders can use to build detection rules, as documented by threat intelligence teams at Expel. Organizations with mature detection engineering programs can create behavioral SIEM and EDR detections based on how Windows processes these archives even when scanning tools fail.
